Intruvent Technologies
Contact us
Critical Nation-State APT TLP:CLEAR

Warp Panda (UNC5221)

Also tracked as: UNC5221, WARP PANDA

Threat Actor Intelligence Profile

China-nexus state-sponsored espionage actor targeting edge network devices and virtualization infrastructure. Known for zero-day exploitation of Ivanti VPN and VMware vCenter systems with exceptional operational security and extended dwell times.

🇨🇳
Origin
China (PRC)
🎯
Primary Targets
Gov, IT/MSPs, Defense
⏱️
Avg Dwell Time
393 Days
💥
Zero-Days Used
5+ Confirmed
📄

Download Full Intelligence Profile

Complete threat actor dossier including attribution analysis, targeting profile, TTPs, malware arsenal, campaign history, IOCs, and detection recommendations.

🔧

Looking for BRICKSTORM Technical Details?

BRICKSTORM is the primary backdoor used by Warp Panda. For technical malware analysis and hunting procedures, visit the BRICKSTORM Tool Overview or download the BRICKSTORM Hunting Guide.

Executive Summary

Warp Panda (tracked by Mandiant as UNC5221) is a sophisticated cyber espionage actor assessed with high confidence to operate in support of People's Republic of China strategic objectives. The group emerged in late 2023 with aggressive zero-day exploitation campaigns targeting edge network devices.

The actor demonstrates exceptional operational security, extensive knowledge of cloud and virtualization environments, and the ability to maintain persistent access for extended periods—with documented dwell times averaging 393 days. This makes them one of the most persistent threats currently tracked.

Warp Panda is notable for its "cloud-conscious" targeting methodology, focusing on network edge devices (Ivanti VPN, F5 BIG-IP) that typically lack endpoint detection capabilities, then pivoting to virtualization infrastructure (VMware vCenter/ESXi) to maximize access while evading detection.

The group has exploited at least 5 zero-day vulnerabilities since 2023, demonstrating access to advanced exploit development capabilities. Their primary malware, BRICKSTORM, provides file management, SOCKS proxy, and command-and-control capabilities via DNS-over-HTTPS to evade network monitoring.

Key Characteristics

Primary Attack Vectors

Zero-day exploitation of edge devices (Ivanti VPN, VMware vCenter), valid account abuse, web shells

Business Impact

Long-term espionage, intellectual property theft, credential harvesting, supply chain compromise via SaaS/MSP targeting

Malware Arsenal

BRICKSTORM, Junction, GuestConduit, SPAWN ecosystem (SPAWNANT, SPAWNMOLE, SPAWNSNAIL), TRAILBLAZE, BRUSHFIRE

Notable Tradecraft

DNS-over-HTTPS C2, VSOCK tunneling, rogue VM creation, log tampering, Integrity Checker Tool (ICT) bypass

Target Technologies

Ivanti Connect Secure VPN, VMware vCenter/ESXi, F5 BIG-IP, Citrix NetScaler, Azure/M365, Active Directory

Attribution

HIGH confidence PRC state-sponsored. Targeting aligns with Chinese strategic priorities. Tracked by Mandiant, CrowdStrike, CISA.

What's in the Full Report

Attribution analysis with confidence assessment
Complete targeting profile (industries, regions, technologies)
Detailed TTPs mapped to MITRE ATT&CK
Malware arsenal breakdown (10+ tools)
Timeline of 4 major campaigns (2023-2025)
Current indicators of compromise (IOCs)
Network, host, cloud, and VMware detection guidance
Defensive recommendations and mitigations

Detection Rules

Copy these queries to detect Warp Panda / BRICKSTORM activity in your environment.

BRICKSTORM Process Execution

index=linux sourcetype=syslog OR sourcetype=auditd
| search process_name IN ("vmsrc", "vnetd", "if-up", "viocli", "vts", "vmckd", "vmware-sphere", "updatemgr", "vami")
| stats count by host, process_name, process_path, user
| where process_path LIKE "%/etc/sysconfig/%" OR process_path LIKE "%/opt/vmware/sbin/%"

DNS-over-HTTPS to Known Providers

index=network sourcetype=firewall OR sourcetype=proxy
| search dest_ip IN ("1.1.1.1", "1.0.0.1", "8.8.8.8", "8.8.4.4", "9.9.9.9") dest_port=443
| where src_ip IN (infrastructure_server_list)
| stats count by src_ip, dest_ip, dest_port
| where count > 100

Suspicious ESXi SSH Access

index=vmware sourcetype=vmware:esxi:sshd
| search "Accepted publickey" OR "Accepted password"
| stats count by src_ip, user, host
| lookup authorized_esxi_admins.csv user OUTPUT authorized
| where isnull(authorized)

These detection rules are provided for defensive security purposes. Always test rules in a non-production environment before deployment. Rules may require tuning for your specific environment.

Notable Campaigns

Dec 2023 - Jan 2024

Operation Cutting Edge

Zero-day exploitation of CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN. Over 1,700 devices compromised globally before patches were available.

Apr 2024 - Sep 2025

VMware vCenter Long-Term Persistence

Documented by CISA AR25-338A. Persistent access to U.S. critical infrastructure using BRICKSTORM backdoor. Average dwell time: 393 days.

Summer 2025

Legal & Technology Sector Espionage

CrowdStrike-tracked campaign targeting U.S. legal, technology, and manufacturing firms. Pivoted to Microsoft Azure environments for data exfiltration.

Mar 2025 - Present

Ivanti CVE-2025-22457 Zero-Day Campaign

Exploitation of critical buffer overflow began mid-March 2025, weeks before public disclosure. Deployed new TRAILBLAZE and BRUSHFIRE malware. ACTIVE

Related Resources

🛡️

Track Warp Panda with BRACE

BRACE delivers monthly sector-specific threat intelligence covering actors like Warp Panda. Each report includes MITRE ATT&CK mapping, detection rules, and hunting playbooks tailored to your industry.